john nicholson presentation
DESCRIPTION
TRANSCRIPT
Pillsbury Winthrop Shaw Pittman LLPPillsbury Winthrop Shaw Pittman LLP
Privacy for Social Media and Location-Based Services
John L. NicholsonCounsel, PWSPWashington, [email protected]: (+1)202-663-8269www.virtualworldlaw.com
1 | Privacy for Social Media and Location-Based Marketing
The good news and the bad news -
I’m a lawyer…
I’m from Washington …
and I’m here to help you.
2 | Privacy for Social Media and Location-Based Marketing
What We’ll Cover
Privacy LawsCurrent status of global privacy laws, Recent regulatory concerns and guidance for social media and location-based servicesWhat might happen
Creating Privacy Policies and Privacy by Design
3 | Privacy for Social Media and Location-Based Marketing
Where We Stand on Privacy Laws
“Where you stand depends on where you sit.”
- Nelson Mandela
4 | Privacy for Social Media and Location-Based Marketing
EU – Most stringentprivacy law
Switzerland – EU-styleprivacy law
Russia – EU-styleprivacy law
China – EU-styleprivacy law
Australia / NZ –EU-style privacy law
Japan – EU-styleprivacy law
Asia (General) – EU-styleprivacy law, APEC
Israel – EU-styleprivacy law
Dubai – EU-styleprivacy law. 1st
in Middle East
Africa (General) –Privacy law not developed
S. America (General) –Privacy law developing
Argentina –EU-styleprivacy law
Mexico – EU-styleprivacy law
Canada – EU-styleprivacy law (PIPEDA)
US – “Harm”-based,sectoral privacy law
5 | Privacy for Social Media and Location-Based Marketing
What Is “EU-style” Privacy Law?
Views personal information as being owned and controlled by datasubject
Much broader definition of personal informationEffectively any uniquely identifying data
Comprehensive approach based on “privacy principles”Principle 1: Collection Limitation Principle 2: Data Quality Principle 3: Purpose Specification Principle 4: Use Limitation Principle 5: Security Safeguards Principle 6: Openness Principle 7: Individual Participation Principle 8: Accountability
Enacted by EU Parliament and then enacted into member state law by each state – so each is slightly different
6 | Privacy for Social Media and Location-Based Marketing
Why Should You Care About the EU Approach?
Your customers in countries with EU-style privacy laws do
And even if they don’t, the regulators in those countries do2010 – Google executives CONVICTED in Italy for violating privacy law by failing to take video off YouTube quickly enough
Was posted for 2 monthsTaken down within 2 hours of notice from Italian police
2010 – Many countries investigate Google for capturing personal information as part of Street View project2011 – South Korea considering prosecuting Google for privacy violations related to Google Street View
7 | Privacy for Social Media and Location-Based Marketing
What is US “Harm”-Based Approach
Views personal information as commodity to be bought, sold and traded
Applies limits only where “harm” is identifiedFinancial information (GLBA)Health information (HIPAA)Children’s information (COPPA & FERPA)Social security numbersDrivers license numbersTelephone / email recordsVideo rental / library recordsEtc.
State data breach notification lawsCaliforniaPatchwork frameworkSome states now adding medical information
However, US is moving towards a more comprehensive, holistic definition of “harm,” broader definition of PII, broader security obligations
8 | Privacy for Social Media and Location-Based Marketing
Massachusetts
New Massachusetts law requires employers to tell workers w/in 10days about any info placed in employee’s personnel file that has been or may be used to negatively affect the worker’s job
Employee also has right to review or get a copy of records w/in days of request up to 2x/year Limit does not apply to the notice and review of negative entriesFailure could lead to fine between $500 and $2,500 per incident
Could cause problems for employers during other employment litigation. If discovery reveals that employer failed to comply, could hurt the employer’s credibilityDocumentation dilemma
Attorneys tell clients to document employee issues as much as possible, just in case the issues go to litigationNew law makes putting relatively innocuous information into a personnel file a much more-provocative event. Now a note in a file carries the risk of upsetting employee
“I hope you know that this will go down on your Permanent Record.”
9 | Privacy for Social Media and Location-Based Marketing
Massachusetts
“Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 Mass. Code Regs.§ 17.00)
Who Must Comply?“…persons who own, license, store or maintain personal informationabout a resident of the Commonwealth of Massachusetts.”A presence in Massachusetts is not required to be liable under the Regulation.
Requires organizations to develop, implement, maintain and monitor a comprehensive, written information security program for records containing personal information (“Program”).Regulations allow for flexibility to tailor each organization’s Program.
See http://pillsburylaw.com/siteFiles/Publications/F829298BD2AC6409DF6C9A9B38A21998.pdf
10 | Privacy for Social Media and Location-Based Marketing
Getting From There to Here
From the EUExporting personal information from the EU to another country is only allowed if the receiving country has data protection laws that have been found “adequate” by the EU DPA
The US is not one of those countriesWithout express consent, exports of personal information from the EU to the US are enabled under three regimes:
Model clauses – efficient for two-party transactionsBinding Corporate Rules – good theory, difficult to implementSafe Harbor – efficient for multi-nationals/multi-party transactions
Some dissatisfaction in EU regarding Safe Harbor
From Canada Contractual obligations to comply with PIPEDA protections
11 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance
FTC Staff Report “Self-Regulatory Principles for Online Behavioral Advertising”
Published Feb. 2009Available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdfProposed four principles for handling online behavioral profiling:
Transparency and controlReasonable security and limited data retentionMust obtain affirmative express consent before information is used in a way that is materially different from that authorized in a privacy statementMust obtain affirmative express consent before using sensitive data (e.g., data about children, health or finances) in advertising
Expressed concept that PII is becoming broader than traditional definition and could include things like IP addressFTC is becoming concerned about creation of data profiles that uniquely identify a person despite lack of specific, traditional PII
12 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance
FTC Staff Report – “Beyond Voice – Mapping the Mobile Marketplace”Published April 2009Available at http://www.ftc.gov/reports/mobilemarketplace/mobilemktgfinal.pdfKey privacy/security findings on LBS:
Contrast between automatic, ubiquitous nature of LBS and cookies or telephone call logs that are created when consumer takes actionConfusion over identity of controller of location informationConfusion over application of current legal structure
Customer Proprietary Network Information (CPNI) rulesApply to location information BUTDo not apply to non-telecom carriers ANDProtect account holder, which may not be user of mobile device
Notice & Consent Banner ad vs. disclosure to third partyFrequency of notice issuesChildren’s use
International issues (e.g., EU data retention requirements)
13 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance
FTC Preliminary Report “Protecting Consumer Privacy in an Era of Rapid Change”
Published Dec. 2010Available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdfKey findings:
Expands concept of “harm” from just economicEndorses “do not track” conceptPromotes idea of “privacy by design”
Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.
14 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance
Dept. of Commerce “Green Paper” – “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework
Published Dec. 2010Available at http://www.ntia.doc.gov//reports/2010/IPTF_Privacy_GreenPaper_12162010.pdfMore commerce and policy orientedRecommends application of “Fair Information Privacy Principles”Does not address privacy by design or privacy enhancing technologies
EU “Communication” – “A comprehensive approach on personal data protection in the European Union”
Published April 2010Available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdfFocuses on rapid rate of change in technologyGoal is to focus on improving protection of personal privacy, increasing transparency (including for children), enhancing control over own information (including “right to be forgotten”), strengthening rules on consent, and extending enforcement powers and sanctions.
15 | Privacy for Social Media and Location-Based Marketing
Additional Guidance
CTIA – “Best Practices and Guidelines for Location-Based Services”v.2.0 published March 23, 2010Available at http://files.ctia.org/pdf/CTIA_LBS_Best_Practices_Adopted_03_10.pdfFocuses on notice and consent
LBS providers must ensure ability of users to receive meaningful notice LBS providers must ensure users consent and recognize that LBS providers bear burden of demonstrating consentUsers must have right to terminate consent at any time
Sample policies available at http://www.ctia.org/business_resources/wic/index.cfm/AID/11924
EFF – “On Locational Privacy, and How to Avoid Losing it Forever”“build systems which don’t collect the data in the first place”
16 | Privacy for Social Media and Location-Based Marketing
So What’s Congress Up To?
Last Congress -Two privacy bills
H.R. 5777 – “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act)Boucher/Sterns Privacy Bill
Contemplating definitions of personal information that are broader than are currently used in US and more like EU (IP address has been mentioned)Several data security bills
H.R.2221 Data Accountability and Trust Act / S.3742 Data Security and Breach Notification Act of 2010 S.1490 Personal Data Privacy and Security Act of 2009 S.3579 Data Security Act of 2010S.3742 -- Data Security and Breach Notification Act of 2010
Each contains requirements for data aggregators and for protection of personal information, as well as data breach notification obligations
17 | Privacy for Social Media and Location-Based Marketing
What’s Likely?
Window of about 8 months before 2012 election gridlockLeading House Republicans are interested in privacy
Joe Barton (R-TX) - Leading Republican on the Energy and Commerce CommitteeCliff Stearns (R-FL) – House Subcommittee on Communications, Technology, and the Internet
Still, not much likely on a big scale - smaller pieces might get throughElectronic Communications Privacy Act reform - Tech industry and DoJ both want clarity on rules related to law enforcement searches of e-mail messages and documents stored in the cloud Web tracking and Privacy
Several Republicans opposed it in 2010; FTC has endorsed itFTC likely to revise COPPA regulations - Likely to expand definition of PII
States likely to keep moving forward Europeans likely to put more pressure on US – either through multinationals or US gov’t – to protect EU consumer data
18 | Privacy for Social Media and Location-Based Marketing
Creating Privacy Policies and Privacy by Design
19 | Privacy for Social Media and Location-Based Marketing
Drafting and Implementing a Privacy Policy
Privacy decisions are operational decisions
Privacy statement is a contractual commitment with the user that may be enforced by the FTC or other regulatory agencies
Copying the privacy statement from another company is not a goodidea
Technically copyright infringementAssumes that the copied policy is worth copyingAssumes that you’re doing business in the same way that company is
20 | Privacy for Social Media and Location-Based Marketing
Privacy Statement for Social Media and LBS
General Privacy Statement ObligationsNotice - Must be provided in plain language; must not be misleadingChoice
LBS or other identifying services (e.g., photo-tagging) should be opt-inUse of information for purposes not originally identified requires new consentDistinction between account holder consent and user consentUsers should be able to withdraw consent and information about them should be removed
Onward transfer – Describe third parties to whom information is providedSecurity – Commit to security of informationAccess – Users should be able to see information you’ve collected about them (if you keep it)
Children’s information raises additional issuesCOPPA
21 | Privacy for Social Media and Location-Based Marketing
Facebook Places
Opt-in ServiceUnlike Beacon, which was opt-outFacebook users can “place” tag friends who have not signed up for Places, BUT tags do not become active until tagged individual approves them
Assumption is that people will sign upPrivacy by Design
Best implementation would be to reject Place tags for anyone who has not activated the service, but provide incentives to turn it onBetter implementation would be to only hold Place tags for non-users for limited period of time then delete them
Facebook users can check other users into locations (2nd party tagging)2nd party check-ins can be manually deletedIndividual friends can be blocked from 2nd party check-ins2nd party check-ins can be blocked completelyPrivacy by Design - Best implementation would be that 2nd party check-ins are blocked by default and must be turned on, but provide incentives to turn it on
22 | Privacy for Social Media and Location-Based Marketing
Facebook Places (cont)
Default is “friends only”Leakage to “friends of friends”Special protections to limit access to information for members under 18 to friends only
The Unspoken ProblemFacebook limits membership to age 13 and over.According to industry, most popular games among U13s are Facebook gamesAccording to Center on Media and Child Health:
60 percent of children ages 10 to 14 have cell phones22 percent of children 9 and younger have cell phones
23 | Privacy for Social Media and Location-Based Marketing
Facebook Photo Tagging & Facial Recognition
Facial Recognition & TaggingWhen a user can tag friends in an album, Facebook will use its facial recognition technology to group similar faces together and automatically fill in the "Who is this?" box with its suggestionUsers can log in and remove tagsUsers can opt out of Tag Suggestions by going to their privacy settings and disabling the "Suggest photos of me to friends" feature
Individuals being tagged in a photo do not have to have a profile on FacebookPrivacy by Design:
No tagging people without Facebook profilesUsers can opt-in to photo tagging – provide incentives for opting inMultiple options for tag approval – provide incentives for increasing access
Universal Selective (white list or black list)Approval required
24 | Privacy for Social Media and Location-Based Marketing
Comments and Questions?
Thank you for listening.